Sign-up

ID

VAR-202001-1486


CVE

CVE-2019-10940


TITLE

SIEMENS SINEMA Server Incorrect Session Authentication Vulnerability

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224

DESCRIPTION

A vulnerability has been identified in SINEMA Server (All versions < V14.0 SP2 Update 1). Incorrect session validation could allow an attacker with a valid session, with low privileges, to perform firmware updates and other administrative operations on connected devices. The security vulnerability could be exploited by an attacker with network access to the affected system. An attacker must have access to a low privileged account in order to exploit the vulnerability. An attacker could use the vulnerability to compromise confidentiality, integrity, and availability of the affected system and underlying components. At the time of advisory publication no public exploitation of this security vulnerability was known. SINEMA Server Contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. SINEMA Server is the network management software designed by Siemens for Industrial Ethernet. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

Trust: 2.34

sources: NVD: CVE-2019-10940 // JVNDB: JVNDB-2019-014225 // CNVD: CNVD-2020-02224 // IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224

AFFECTED PRODUCTS

vendor:siemensmodel:sinema serverscope:eqversion:14.0

Trust: 1.0

vendor:siemensmodel:sinema serverscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:sinema server sp2 updatescope:ltversion:v14.01

Trust: 0.8

vendor:siemensmodel:sinema serverscope:ltversion:14.0 sp2 update 1

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // NVD: CVE-2019-10940

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10940
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-10940
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-02224
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202001-536
value: CRITICAL

Trust: 0.6

IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2019-10940
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-02224
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-10940
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2019-10940
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // CNNVD: CNNVD-202001-536 // NVD: CVE-2019-10940

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.8

problemtype:CWE-266

Trust: 1.0

sources: JVNDB: JVNDB-2019-014225 // NVD: CVE-2019-10940

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-536

TYPE

other

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNNVD: CNNVD-202001-536

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014225

PATCH
title:SSA-880233url:https://cert-portal.siemens.com/productcert/pdf/ssa-880233.pdf
Trust: 0.8
title:Patch for SIEMENS SINEMA Server Incorrect Session Authentication Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/197091
Trust: 0.6
title:Siemens SINEMA Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108523
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-02224 // 
            
            
            
            JVNDB: JVNDB-2019-014225 // 
            
            
            
            CNNVD: CNNVD-202001-536

EXTERNAL IDS
db:NVDid:CVE-2019-10940
Trust: 3.2
db:ICS CERTid:ICSA-20-014-02
Trust: 2.4
db:SIEMENSid:SSA-880233
Trust: 2.2
db:CNVDid:CNVD-2020-02224
Trust: 0.8
db:CNNVDid:CNNVD-202001-536
Trust: 0.8
db:JVNDBid:JVNDB-2019-014225
Trust: 0.8
db:AUSCERTid:ESB-2020.0157
Trust: 0.6
db:IVDid:FE5704E0-4E6D-4125-A613-57BA8AD43D7A
Trust: 0.2
sources:
            
            
            IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // 
            
            
            
            CNVD: CNVD-2020-02224 // 
            
            
            
            JVNDB: JVNDB-2019-014225 // 
            
            
            
            CNNVD: CNNVD-202001-536 // 
            
            
            
            NVD: CVE-2019-10940

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-014-02
Trust: 2.4
url:https://cert-portal.siemens.com/productcert/pdf/ssa-880233.pdf
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2019-10940
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10940
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0157/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-02224 // 
            
            
            
            JVNDB: JVNDB-2019-014225 // 
            
            
            
            CNNVD: CNNVD-202001-536 // 
            
            
            
            NVD: CVE-2019-10940

SOURCES
db:IVDid:fe5704e0-4e6d-4125-a613-57ba8ad43d7a
db:CNVDid:CNVD-2020-02224
db:JVNDBid:JVNDB-2019-014225
db:CNNVDid:CNNVD-202001-536
db:NVDid:CVE-2019-10940

LAST UPDATE DATE
2024-08-14T14:25:59.121000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-02224date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2019-014225date:2020-02-06T00:00:00
db:CNNVDid:CNNVD-202001-536date:2021-09-18T00:00:00
db:NVDid:CVE-2019-10940date:2021-09-20T12:15:09.710

SOURCES RELEASE DATE
db:IVDid:fe5704e0-4e6d-4125-a613-57ba8ad43d7adate:2020-01-14T00:00:00
db:CNVDid:CNVD-2020-02224date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2019-014225date:2020-02-06T00:00:00
db:CNNVDid:CNNVD-202001-536date:2020-01-14T00:00:00
db:NVDid:CVE-2019-10940date:2020-01-16T16:15:15.887